What to Tell the Board About Security
It takes only a quick review of recent years' headlines to understand why information security leaders have assumed a higher profile in the upper echelons of the corporate hierarchy. The Targets, Ebays and JPMorgan Chases of the world can vouch for the fact that strong security is a pillar of doing business today. And security and risk executives have not only become integral parts of the C-suite, they've also earned the ear of their board of directors. In fact, a 2015 study from Georgia Tech Information Security Center found that 63 percent of executives and directors said cyber-security is a top boardroom issue, up from 33 percent just three years earlier. So what are security leaders telling their boards? According to a recent infographic from security analytics firm Bay Dynamics, much of what they relay is not all that helpful. "A disconnect in communication plagues many organizations, leaving CISOs [chief information security officers] and CIROs [chief information risk officers] struggling to figure out how to effectively report their cyber-risk status to the board," Ryan Stolte, co-founder and CTO at Bay Dynamics, wrote in a blog post about the infographic and a related report, "The CISO's Ultimate Guide to Reporting to the Board." "If C-level executives and board members cannot understand their level of cyber-risk--and put it into context based on the value of their assets and how their most valuable assets are being protected--they cannot make informed decisions to decrease their level of risk."